Cisco Cisco Expressway
As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable
SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when
enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the
Expressway-E itself. This is also mentioned in
SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when
enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the
Expressway-E itself. This is also mentioned in
General guidelines and design principles
With Expressway-E deployments involving NAT and/or dual network interfaces, some general guidelines
and principles apply, as described below.
and principles apply, as described below.
Non-overlapping subnets
If the Expressway-E will be configured to use both LAN interfaces, the LAN1 and LAN2 interfaces must be
located in non-overlapping subnets to ensure that traffic is sent out the correct interface.
located in non-overlapping subnets to ensure that traffic is sent out the correct interface.
Clustering
When clustering Expressways that have the Advanced Networking option installed, cluster peers have to
be addressed with their LAN1 interface address. In addition, clustering must be configured on an interface
that does not have Static NAT mode enabled.
be addressed with their LAN1 interface address. In addition, clustering must be configured on an interface
that does not have Static NAT mode enabled.
We therefore recommend that you use LAN2 as the externally facing interface, and that LAN2 is used as the
static NAT interface where applicable.
static NAT interface where applicable.
Static NAT restrictions when using SIP media encryption
You should not configure an Expressway for SIP media encryption if that same Expressway is also
configured for static NAT. If you do so, the private IP address will be sent in the SDP rather than the static
NAT address and this will cause calls to fail.
configured for static NAT. If you do so, the private IP address will be sent in the SDP rather than the static
NAT address and this will cause calls to fail.
Note that the recommended configuration for Expressway-C with Expressway-E deployments is to:
n
configure the same media encryption policy setting on the traversal client zone on Expressway-C, the
traversal server zone on Expressway-E, and every zone on Expressway-E
traversal server zone on Expressway-E, and every zone on Expressway-E
n
use static NAT on the Expressway-E only
With this configuration the encryption B2BUA will be enabled on the Expressway-C only.
External LAN interface setting
The External LAN interface configuration setting on the
IP
configuration page controls on which network
interface TURN relays are allocated. In a dual network interfaces Expressway-E configuration, this should
normally be set to the externally-facing LAN interface on the Expressway-E.
normally be set to the externally-facing LAN interface on the Expressway-E.
Dual network interfaces
The following diagram shows an example deployment involving the use of an Expressway-E with dual
network interfaces and static NAT, an Expressway-C acting as a traversal client, and two firewalls/routers.
Typically in this DMZ configuration, FW A cannot route traffic to FW B, and devices such as the dual
interface Expressway-E are required to validate and forward traffic from FW A’s subnet to FW B’s subnet
(and vice versa).
network interfaces and static NAT, an Expressway-C acting as a traversal client, and two firewalls/routers.
Typically in this DMZ configuration, FW A cannot route traffic to FW B, and devices such as the dual
interface Expressway-E are required to validate and forward traffic from FW A’s subnet to FW B’s subnet
(and vice versa).
Cisco Expressway Basic Configuration Deployment Guide (X8.2)
Page 50 of 57
Appendix 4: Advanced network deployments